Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-23-2022 08:18 AM
Hi guys
I am a bit lost in our own network...... We have a PA-820 Cluster in active-passive mode. It is running for maybe 7 months now. Each firewall has 2 uplinks to our 2 core switches and 1 downlink to the access switch (with subcontractor on it).
We noticed around 2 weeks ago that all those 6 ports have hardware receive errors since we installed them. The downlink ports to the access area have a lot more (in around 1.5 weeks 292'359) then the uplinks the uplinks (around 9'000). The access area does not communicate that much to outside. The uplinks are singlemode fibre and the downlink normal RJ45. I changed the RJ45 already without any success. The SFPs are from Finisar 1G and should be supported although the firewall does not recognize them (there is no vendor name or vendor part number). However the hardware part shouldn't be the issue as we have the same situation in fibre & copper.
I did some research and packet captures and initially thought its because of STP frames arriving on the port which count as errors. But after disabling it the counters still increase. So currently I have no non-ip traffic on those interfaces according to the PCAP.
I found the following command which shows you recent counters and also drops:
show counter global filter delta yes
When using this command I see following drops: (also see attachment)
name value rate severity category aspect description
flow_rcv_dot1q_tag_err 23 0 drop flow parse Packets dropped: 802.1q tag not configured
flow_no_interface 23 0 drop flow parse Packets dropped: invalid interface
flow_ipv6_disabled 800 13 drop flow parse Packets dropped: IPv6 disabled on interface
flow_policy_deny 1121 19 drop flow session Session setup: denied by policy
flow_fwd_l3_bcast_drop 5677 98 drop flow forward Packets dropped: unhandled IP broadcast
flow_fwd_l3_mcast_drop 775 13 drop flow forward Packets dropped: no route for IP multicast
flow_fwd_l3_noroute 13 0 drop flow forward Packets dropped: no route
flow_fwd_l3_noarp 11 0 drop flow forward Packets dropped: no ARP
flow_host_service_deny 746 12 drop flow mgmt Device management session denied
Does anyone has an idea how I can continue to troubleshoot this?
11-23-2022 11:24 AM
Hello @tulkas
Check out these support links:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWoCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWkCAK
Cheers
11-23-2022 07:27 PM
Hello @tulkas
thanks for posting in LIVEcommunity!
- Could you confirm what devices are connected uplink and downlink to Firewall?
- My first suspect for non-IP traffic would be anything that arrives interface of Firewall, but Firewall does not understand it. For example CDP, DTP, VTP, PAGP. Have you seen any layer 2 traffic in the packet capture?
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
